Impact of `encoding/xml` vulns
licaon-kter opened this issue · 4 comments
From @mdosch:
FYI
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md
Sorry, but I think I'm missing some context here. How these vulnerabilities are supposed to affect the project?
It affects go stuff that processes xml, jackal does this, maybe it's too.
It's more a heads-up, you'd need to analyze if your useage is impacted or not.
If there is no security concern related to the ordering of attributes and elements, I don't believe these types of vulnerabilities affect the project. Basically, there is no way to ensure deterministic ordering between a struct and xml doc through round trips. There are third party libraries which may be discussed in that blog post, if I recall, which can help this, but my guess is that this is not necessary unless you have some of the same concerns as projects like SAML which I believe is where this was identified as an issue.